Detect Cloud Service Discovery in Google Chronicle
Adversaries who have gained access to a cloud environment may enumerate cloud services, resources, and configurations to identify valuable targets, understand security controls, and plan follow-on actions. This includes enumerating Azure resources via Azure Resource Manager API, Microsoft Graph API calls to list applications and service principals, AWS service enumeration via Pacu or direct CLI, and discovery of security services such as GuardDuty, Defender for Cloud, CloudTrail, and logging configurations. Tools like Stormspotter, AADInternals, and ROADTools automate this reconnaissance and are commonly observed in pre-ransomware and espionage campaigns.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1526 Cloud Service Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1526/
YARA-L Detection Query
rule cloud_service_enumeration {
meta:
author = "Detection Engineering"
description = "Detects bulk cloud service discovery activity (T1526)"
severity = "MEDIUM"
tactic = "TA0007"
events:
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
$e.metadata.product_name = "Azure Activity"
$e.metadata.event_outcome = "ALLOW"
re.regex($e.metadata.product_event_type, `(?i)(list|/read|/get)`) nocase
$user = $e.principal.user.userid
$ip = $e.principal.ip
match:
$user, $ip over 10m
outcome:
$op_count = count_distinct($e.metadata.product_event_type)
condition:
$op_count >= 8
}Chronicle YARA-L rule detecting bulk Azure resource enumeration across multiple resource types.
Data Sources
Required Tables
False Positives & Tuning
- Cloud infrastructure automation tools (Terraform, Pulumi, Bicep) performing state refresh operations that enumerate all resource types across a subscription
- Azure Security Center, Microsoft Defender for Cloud, or third-party CSPM platforms performing continuous posture assessments that enumerate resources
- DevOps pipelines with service principals that run 'az resource list' or similar commands during environment validation steps
- Cloud governance tools (Azure Policy compliance scans, Azure Advisor) that regularly enumerate resources to generate recommendations
- IT administrators conducting authorized cloud inventory or migration assessments using tools like Azure Migrate or Azure Resource Graph
Other platforms for T1526
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure Resource Enumeration via Azure CLI
Expected signal: AzureActivity log entries for each az CLI command with OperationNameValue containing Microsoft.Compute/virtualMachines/read, Microsoft.Network/virtualNetworks/read, Microsoft.Storage/storageAccounts/read, Microsoft.KeyVault/vaults/read, Microsoft.Web/sites/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Security/autoProvisioningSettings/read. Caller will be the authenticated user or service principal. CallerIpAddress will reflect the source machine's IP.
- Test 2Entra ID Enumeration via AADInternals PowerShell Module
Expected signal: AuditLogs entries with Category='Core Directory' for tenant and domain read operations. User-Agent field in AdditionalDetails will contain 'AADInternals'. SigninLogs will show authentication events for the token acquisition. MicrosoftGraphActivityLogs (if enabled) will show HTTP GET requests to /v1.0/organization, /v1.0/domains, /v1.0/servicePrincipals with User-Agent='AADInternals'.
- Test 3Microsoft Graph API Service Principal Enumeration via PowerShell
Expected signal: AuditLogs entries: OperationName='List servicePrincipals', 'List applications', 'List directoryRoles', 'Get organization', 'Get policy' with Category='Core Directory' and 'ApplicationManagement'. InitiatedBy will reflect the authenticated user. MicrosoftGraphActivityLogs will show GET requests to /v1.0/servicePrincipals, /v1.0/applications, /v1.0/directoryRoles, /v1.0/organization, /v1.0/policies/authorizationPolicy.
- Test 4AWS Cloud Service Discovery via Pacu Framework
Expected signal: AWS CloudTrail logs: DescribeTrails, ListDetectors, DescribeInstances, ListRoles, ListBuckets, ListFunctions, ListClusters, ListSecrets events with eventSource matching cloudtrail.amazonaws.com, guardduty.amazonaws.com, ec2.amazonaws.com, iam.amazonaws.com, s3.amazonaws.com, lambda.amazonaws.com, ecs.amazonaws.com, secretsmanager.amazonaws.com. userAgent will contain 'aws-cli'. sourceIPAddress will reflect the caller's IP.
References (12)
- https://attack.mitre.org/techniques/T1526/
- https://docs.microsoft.com/en-us/rest/api/resources/
- https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview
- https://github.com/Azure/Stormspotter
- https://github.com/RhinoSecurityLabs/pacu
- https://o365blog.com/aadinternals/
- https://github.com/dirkjanm/ROADtools
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs
- https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview
- https://www.microsoft.com/en-us/security/blog/2024/09/26/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md
Unlock Pro Content
Get the full detection package for T1526 including response playbook, investigation guide, and atomic red team tests.